Actu
Stephen, AEP Networks: Protecting personal data - information assurance as a core business function of an organisation
January 2009 by Stephen Lewis, VP of Business Development, AEP Networks
The protection of personal data is a very hot issue today and its rise to fame has been helped dramatically by a number of high profile data losses, mainly by government and its agents but also in the commercial sector. Although these losses of personal data may not have shocked those involved in the information assurance business at the time, organisations dealing with sensitive or private data should have made it their business to secure it and therefore avoid further negative publicity. We ask the question, “Are we protecting the information fully?”
Well, the media interest has achieved one significant goal – now, we are acutely aware that our personal details, that we have provided in good faith and on the understanding that it would be treated in confidence and taking due care and attention, may not be receiving the protection we expect. Doing something about that is quite difficult because we need to exchange personal data in order to carry out our day-to-day business. And, it is true to say that if trust is lost between an individual and a service provider of whatever type no business can be transacted. This is what we face if we fail to look after personal information.
It is clearly the responsibility of the organisation receiving personal data to protect that information so what do we mean by ‘protect’?
The organisation must make sure that only authorised personnel are able to access certain types of information or data. This means putting into place the necessary and appropriate access controls and data security measures in order to maintain confidentiality. Then, it is important to ensure that data is not moved outside of the control zone that has been specified.
Ensuring that the information held on each and every individual is accurate is another responsibility of the organisation holding personal data. This requires integrity checks being carried out on the data, refreshing of the data to be sure that it is kept up to date and validation methods being implemented so that individuals are able to check for themselves that their data is current.
Then, organisations need to make the information available so they will require a level of system resilience and disaster recovery strategies to be in place to cover all eventualities. Up-to-date and appropriate identity management and access control are critical and they need to know at any point in time who needs to access data and show an audit trail of those who have already accessed it.
Most of the countermeasures I see being implemented to protect personal data seem to be focusing on encrypting information on mobile devices and writable media. This is excellent news for colleagues in the “data at rest” encryption business but we are concerned that some of the fundamental issues are not being examined. It is often a business process issue that needs to be addressed in the first instance. For example, why are staff holding this information on laptops and PDAs? Why do they need to cut a CD or write data to a USB memory stick?
The answers certainly lie in the business practices surrounding the protection of personal data. If one Government Department has a quite legitimate need to send personal data to another organisation then it should be possible to send it over an encrypted link rather than to cut the information to CD and consign it to the mail system. If an officer needs access to personal data while on the move then surely using a thin client based remote access solution is far better than them having to store a copy of the data on their own machine. If staff need access to data temporarily - for a project - then the access control and identity management system must be flexible enough to allow for this rather than (and we’ve all seen this in practice) people working around the system to avoid making changes through ‘the system’.
There are flaws in the security measures of many organisations and most are easily overcome. A review of business processes and practices is an essential first step and this should be followed by a realistic and timely review of the communications infrastructure and the existing security systems in place. Encryption will necessarily form a core part of the security of personal data, but so too will access control and identity management. Get all of these aspects right and data will stay secure, even when it is on the move. Get it wrong and the publicity drive to name and shame organisations that do not look after our data will continue with a vengeance.
AEP Networks has been working in the Information Assurance and Communications Security fields for many years and has solutions deployed in Government and Commerce providing simple and flexible network and remote access security (including multi bearer communications capability); identity based access control, accounting and audit systems; and, data and authentication integrity assurance.
